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Abstract 

This paper revisits the problem of determinacy inference addressing the problem of how 
to uniformly handle cut. To this end a new semantics is introduced for cut, which is 
abstracted to systematically derive a backward analysis that derives conditions sufficient 
for a goal to succeed at most once. The method is conceptionally simpler and easier to 
implement than existing techniques, whilst improving the latter's handling of cut. Formal 
arguments substantiate correctness and experimental work, and a tool called 'RedAlert' 
demonstrates the method's generality and applicability. 
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1 Introduction 

The question of determinacy is constantly on the mind of a good Prolog program- 
mer. It is almost as important to know that a goal will not compute an answer 
multiply, as it is to know that it will compute the right answer. To this effect, 
Prolog programmers often use the cut to literally cut off all choice points that 
may lead to additional answers, once a goal has suceeded. A cut that is used t o 
(brutely) enforce determinacy in this way is termed a "red cut" dO'Keefel . [l99ol) . 



O'Keefe also distinguishes between further uses of cut, namely "green cut" and 
"blue cut" , which are used to avoid repeating tests in clause selection and explor- 
ing clauses which would ultimately fail. Such classifications have been introduced 
to facilitate reasoning about the determinising effects of cut in different contexts. 
Since these issues are subtle, they motivate developing semantically justified tools 
which aid the programmer in reasoning about determinacy in the presence of cut. 

In light of this close connection between determinacy and cut, it is clear that 
cut ou g ht to play a prominent role in determinacy analysis. This was recognised by 



SahhnI ()l99l[ ). twenty years ago, who proposed an analysis which checks whether a 



goal can succeed more than once. The analysis abstracts away from the instanti 



ation of arguments within a call which weakens its applicability. iMogensenl (|1996[ ) 
recognised the need to ground the work of Sahlin on a formal semantics, yet his 
work illustrates t he difficulty of construc t ing an d then abstracting a semantics for 



cut. Very recently Schneider-Kamp et al. ( 2010l ) have shown how a semantics. 



care- 



fully crafted to facilate abstraction, can be applied to check termination of logic 



2 



J. Kriener and A. King 



programs with cut on classes of calls. This begs the question whether a semantics 
can be distilled which is ameniable to inferring determinacy conditions. A good 
answer to this question will provide the basis for a tool that supports the software 
development process by providing determinacy conditions in the presence of cut. 



1.1 Existing methods for determinacy inference 

The issue of i i iferring determinacy in logic programs has been considered before 
|Lu and Kinei boOSt lKing et all, bood) . ihough neither of the works adequately 
addressed the cut. King et al.l ( 20061 ) for example present a method for infering 
determinacy conditions initially for cut-ivee Prolog programs by using suspension 
analysis in a constraint-based fram ework. Their rnotiva tion is to overcome a lim- 
itation of the method presented by Lu and King ( 20051 ) that arises from the way 
in which the order of the literals in the clause influences the strength of the de- 
terminacy conditions inferred. To demonstrate this problem, consider the following 
example: 

diag( [],[],_). 

diag([(X,Y) IXs] , [(Y,X) lYs] , LiDs]) :- diag(Xs,Ys,Ds) . 



vert([] , [] ,_). 

vert([(X,Y) |Xs] , [(XI, Y) |Ys] , [. 



IDs]) :- {XI = -X>, vert(Xs,Ys,Ds) , 



rot(Xs,Ys) :- diag(Xs,Zs,Ys) , vert (Zs , Ys ,Xs) . 

(The constraint notation in the second clause of vert is need e d to render the 
predicate multi-modal.) The method presented by Lu and King ( 2005 1) infers the 
groundness of Xs as a sufficient condition for the determinacy of rot(Xs,Ys). It 
does not detect that the groundness of Ys, too, is sufficient for determinacy. This 
is because the method only considers the left-to-right flow of information from one 
goal to the next. For instance, if rot(Xs,Ys) is called with Ys ground, then when 
the call diagCXs ,Zs ,Ys) is encountered, neither Xs nor Zs are ground, hence the 
call is possibly non-deterministic and therefore the method concludes that only 
groundness of Xs is sufficient for determinacy of rot(Xs,Ys). 

In response, iKing et al.l (|2006[ ) propose a framework in which the order of the 
literals in a clause does not impose the implicit assumption that the determinacy 
of a goal is not affected by the bindings subsequently made by a later goal. To 
demonstrate, notice that if Ys is ground then the execution of vert(Zs,Ys,Xs) 
grounds Zs, which is sufficient for the earlier goal diag(Xs,Zs,Ys) to be deter- 
ministic as well. They achieve this by delaying execution of a goal until a mutual 
exclu sion conditio n between its clauses is fulfilled and then using suspension infer- 
ence (jGenaim and King. .2008;) to infer a determinacy condition for the goals that 
constitute the body of a clause. This allows them to infer the determinacy condition 
Xs V Ys for the goal rot(Xs,Ys). Notice, however, the irony in solving a problem 
that arises from the failure to abstract away from the temporal order of execution 
by adding temporal complexity into the program. 
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1.2 Limitations of existing methods 

However, the limitations of ( King et al. . 20061 ) become sharply apparent when con- 



sidering the way that the framework is extended to cut: Their method is extended 
by strengthening the determinacy condition for a predicate to ensure that calls 
before a cut are invoked with ground arguments only. While this treatment is suffi- 
cient to handle green and blue cuts, it means that a cut will invariably strengthen 
the determinacy conditions derived. This is unsatisfactory when considering red 
cuts, given that they are used to ensure determinacy. In that case, the presence of 
cut ought to have a weakening effect on determinacy conditions. To demonstrate, 
consider the following pair of predicates: 

memberchk(X,L) :- member (X, L) , !. 

member (X, [X|_]) . 

member (X ,[_ I L] ) :- member (X,L). 

In the framework of King et al. ( 2006I ). member chk inherits its determinacy condi- 



tions from member and (if necessary) strengthens them to ensure that the arguments 
in the call to member are ground. In this situation, the determinacy condition derived 
for member is false, which cannot be strengthened within the domain of boolean 
constraints. Therefore the determinacy condition derived for memberchk is false as 
well. However, it should be obvious that the effect of the red cut in this situation is 
to make memberchk deterministic independently of the determinacy of member. This 
example demonstrates that in the presence of cut, determinacy conditions on pred- 
icates cannot be derived by a straightforward compositional method where parent 
predicates inherit their conditions from their sub-predicates. Rather, the method 
needs to allow for weakening and disregarding of determinacy information in the 
transition from parent to sub-predicates. Aiming to develop a uniform technique 
for handling cut along these lines, this paper makes the following contributions: 

• it presents a concise semantics for Prolog with cut, based on a cui-normal 
form, that constitutes the basis for a correctness argument (and as far as we 
are aware the sequence ordering underpinning the semantics is itself novel) ; 

• it presents and proves correct a method for inferring determinacy conditions 
on Prolog predicates which abstracts over the order of their execution and is 
both conceptually simpler and easier to implement than previous techniques; 

• it reports experimental work that demonstrates p recision improvements ov er 



existing methods; correctness proofs are given in ([Kriener and King . |2011[ ). 



2 Preliminaries 

2.1 Computational domains 

The basic domain underlying the semantics presented in the next section is the 
set of constraints. Con, containing diagonalization constraints of the form x = y, 
expressing constraints on and bindings to program variables. Con is pre-ordered 
by the entailment relation, |=, and closed under disjunction and conjunction. We 
assume the existence of an extensive projection of 9 onto x, denoted by 3^(0). 
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2.1.1 Con^ 

Our concrete domain is the set of closed non-empty sets of constraints [Con^), 
which represent program states by capturing all possible bindings to the pro- 
gram variables consistent with a specific set of constraints on the same. The el- 
ements of Con^ are constructed thus: For any set of constraints 9, = {4> \ 
30 G Q.(j) \= 6}, i.e. the set of all constraints that entail some constraints in 6. 
(Observe that l{false} ~ {false}.) In this construction, unification is straightfor- 
wardly modeled by intersection: The result of unifying variable A with constant 
c at state is simply 4^{^ = c}n4{'l'}- Con^ is partially ordered by C and 
{Con^, C, {false}, ]{true}, [J, f]) is a complete lattice. (Notice that ^ Con^.) 
Two projections, one an over-, the other an under-approximation, are defined on 
Con^ as follows: 35(6) = {3s{e) \ 6 e Q}, V5(e) = {ip e B \ 3sW = V}- No- 
tice that both projections on Con^ are defined in terms of an arbitrary existential 
projection on the elements of Con. Each of these two is required later on to ensure 
soundness: The denotational and success set semantics (Sects. 3.1 and 3.2) need to 
be over- approximations to be correct. Intuitively, they need to capture all possible 
solutions, even at the cost of letting a few impossible ones slip in. The determinacy 
semantics (Sect. 3.3) needs to be an under-approximation, which in that context 
has the effect of strengthening the determinacy condition. Weakening would lead 
to a loss of soundness there. A renaming operator p^ jj is defined on Con^ thus: 
Px,y{Q) = ^y{^x{Q) U {f = y}). (Notice here that ps,j(6) = ps,y{3s{Qj).) For a 
single constraint 9, vars{9) is the set of all varia bles occurring in 0. 
Similar to the notion of definiteness defined by Baker and S0ndergaardl ( 1993 ). a 



constraint fixes those variables, in respect to which it cannot be strengthened: 

fix{0) = {y I V^.((V' h ^ A ^ ^ false) ^ 3g{0) h %(^))} 

Put simply, fix{0) is the set of variables that are fixed or grounded by 0. 

In addition to these fairly standard constructions, we define two binary operators 
on Con^ to express more complex relations between its elements: Given Oi, Q2 G 
Con^ their mutual exclusion (mux) is the union of all those (p £ Con, which fix a 
set of variables, on which Oi and 62 are inconsistent: 

mux{ei,e2) ^{(t)\3Y c/ix(0).(3y(ei) n3y(e2) = {Me})} 

For example, given two sets 9i — 1{A — c,B — d}, 62 — i{A ~ e,B = d}, their 
mutual exclusion will contain all constraints which fix the variable A to any constant 
/: mwa;(8i,92) = i{A = f}. Notice that, since 9i and 82 do not disagree on B, 
fixing B will not distinguish between them and B is therefore not constrained in 
mita;(9i, 92). Observe that for 9i, 92 G Con^, mux{Qi,Q2) G Con^, i.e. the mux 
of two closed sets is closed and that mMa;(9i, 92) = l{true} if 9i or 92 is {false}. 

Given 9i, 92 € Con^, their implication is defined as the union of all those 
elements of Con^ which, when combined with 9i, form subsets of 92: 

9i ^ 92 = U{* I * n 9i C 92} 

For example, given two sets 9i = 1{B = d} and 92 = i{A = c, B = d}, Qi ^ Q2 = 
1{A = c}. Notice that this construction mirrors material implication on boolean 
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formulae in that the following statements are true for any 9: \-{true} — ?> 9 = 9, 
9 — >■ l{true} — l{true}, l{false} Q = l{true}, 9 l{false} — l{false}. Notice 
also that it is possible to recover 92 from 9i — > 92 by simply intersecting the latter 
with 9i: 9i — !> 92 is, in a sense, a systematic weakening of 92 by 9i. 



2.1.2 Coni^ 

To model the indeterministic behaviour of Prolog semantically, we extend Con^ to 
finite sequences of its elements which do not contain the set {false}, the elements 
of which are denoted by 9. Concatenation is denoted ':', e.g., 9i : [92,93] = 
[9i,92,93]. To obtain a top element we add a single infinite sequence, uj — 
[i{true},i{true},...] and define Conj^^ = {{Con^ - {false})"- | n > 0} U {uj}. 
Sube{Q) denotes the set of aU subsequences of 9 of length £. Eg: 5'm&2([9i, 92, 93]) = 
{[9i,92], [92,93], [9i,93]}. Given a sequence of elements of Con^, 9*, trim{Q*) 
is the result of removing all instances of {false} from 9*. 



9i n92 = 



Conj^ij can be partially ordered by a prefix-ordering (as is done bv lDebrav and Mishra 
(|1988r )). However, under that ordering, the presence of cut poses problems in defin- 
ing suitable monotonic semantic operators. Therefore, we define a partial order on 
Conig (E) thus: V9i,92 G Conf,, (9i □ 92) iff 3$ e 5mV(92) • (9i C^^ $) 
where ]9i] — m and Cp„ is point-wise comparison on sequences of equal length. 
The lattice {Con^^^, E, [Ij^^jUjIH) is complete (see Appendix), with fl and |J de- 
fined as follows (note that fl is needed only to define the fixpoints): 
92 tfOi^^ 

91 ^ if §2^ CO 

92 n 9i if n < m 
inm(Up^{9i Hp^ $ 1 $ e Subm{Q2)}) otherwise 

where |9i] = m, \&2\ = n and Up™ and Cipw are point-wise union and intersection, 
which require their operands to be equal length, fl 'S' is defined as the lifting of □ to 
sets in the natural way. From this we can define U '5' = fli© I G 5.$ C 9} in the 
normal way. The operators J,, 3^, V5 and p^.j/ are all lifted straightforwardly to the 
elements of Con^^^ as the results of applying the same operations to each member 
of a given 9. Eg: 43£([9i,92]) = [435(9i), 435(92)]. IJ© denotes the union of ah 
the elements of 9, which itself is an element of Con^ . Finally, to save some space in 
the presentation of the definition of J-q in Section 3.1, a mixed H is defined thus: 
($ : $) n9 = ($n9) : ($ n 9). 



2.2 Cut normal form 

To simpliiy the presentation of the semantics, we require each predicate in the anal- 
ysed program to be defined in a single definition of the form p(a;) ■(— Gi; G2,!, G3; G4. 
For example, the memberchk and member predicates can be transformed to: 

memberchk(X, L) :- false; (member(X, L), !, true); false. 

memberCX, L) :- L = [X| _] ; (false, !, true); (L = [_ I L_l] , member(X, L_l)). 

where true and false abbreviate post{true) and post(/aZse) respectively. This does 
not introduce a loss of generality. (For details on this transformation see Appendix.) 
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2.3 Syntax and stratification 

Given this normal form, the syntax of our programs is defined as follows: 



Head 
Goal 

Predicate 
Program 



— p{x) (where af is a vector of distinct variables) 

— post(6') I Head \ Goal, Goal 

~ Head ■<— Goal ; Goal , ! , Goal ; Goal 

— e I Predicate ■ Program 



where post(0) indicates that is added to the current constraint store. Again, 
vars{G) is the set of variables in a goal G. Further, heads{P) contains the heads of 
the predicates defined in P. 

One would expect that an off-the-shelf denotational semantics could be taken and 
abstracted to distill a form of determinacy inference. However, the non-monotonic 
nature of cut poses a problem for the definition of such a semantics. In particular, 
cut can be used to define inconsistent predicates, eg: p ^ false ; p, !, false ; true. 
To construct a denotational semantics, we have to address the problem posed by 
p redicates like p, w hich cannot be assigned a consistent semantics. 



Apt et alJ (jl988l ) address a parallel problem in the context of negation by banning 
the use of such viciously circular definitions. To this end, they introduce the notion 
of stratification with respect to negation. In their view, negation is used 'safely', 
if all predicates falling under the scope of a negation are defined independently 
of the predicate in which that negation occurs. Given the similarity between cut 
and not, it is natural to adopt a similar approach towards our analogous problem. 
We define stratification with respect to cut, assuming that cut is used safely, if 
only predicates that are defined independently of the context of a cut, can decide 
whether it is reached or not: A program P is cwt-stratified, if there exists a partition 
P = Pi U . . . U Pn such that the following two conditions are met for all 1 < « < ra: 

1. For all p{x) 4- Gi; G2,\, G3; G4 in Pi, all calls in G2 are to predicates in Uj<i Pj- 

2. For all p{x) i~ Gi; G2, !, G3; Gi in Pi, all calls in Gi, G3 and G4 are to predicates 
in Uj<i^j- Henceforth, we shall simply write 'stratified' to mean 'cwi-stratified'. 
Notice that this restriction is almost purely theoretical. In the worst case, a cut 
after a recursive call produces a situation like or similar to that of the predicate p 
above, which has no stable semantics and in practice introduces an infinite loop. In 
the best case, such a cut is simply redundant. Either way, we have not been able 
to find such a cut in an actual Prolog program, nor have we been able to come up 
with an example in which such a cut is put to good use. 



3 Semantics 

Given these preliminaries, we can now define a denotational semantics for Prolog 
with cut (section 3.1), over Con\^^, which is expressive enough to capture multiple 
answers, and a determinacy semantics (section 3.3), over Con^, suitable for abstrac- 
tion to boolean conditions. The success set semantics presented in between these 
two (section 3.2) provides a link between them. 
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3.1 Denotational semantics 

To establish a basis for arguing the determinacy semantics presented in the fohowing 
sections correct, we define a denotational semantics for Prolog with cut. The driving 
intuition here is, that the semantics of a program P is a mapping from goals called 
in the context of P to sequences of possible answer substitutions. The context 
is provided by an environment (/u), henceforth called a success environment to 
distinguish it from other types of environments, which is a mapping from predicate 
heads and ConJ-^^ to Conj^g-. Env ::= Head — >■ Conj^^ — >■ Conj^g. The notation 
/^[^(y) denotes the result of updating fi with a new assignment from p{y) 

to Q. For a given program P, the set Ep of success environments is point- wise 
partially ordered by: m C ^2 iff yp{y),Q.{lJ,i{p{y)){Q) E lJ.2{p{y )){&))■ For any 
program P the lattice {Ep,^, ij.t,\_\,\~\) is complete, where: 

M-L =Ap(2;)e.[] = Ap(?7)e.w 

^iiu^i2 = ^^3s.t.ve,p{y)eheadsiP).{Mpiy))^ =Mi(p(y))0u^2(p(y))e) 

Ml = ^i3s■t■yo,p{y)eheads{P).{Mpiy))^ = tii{p{y))e n ii2{p{y))e) 
And y and \~\ are lifted to sets of environments in the normal way. 
Definition 1 

For a given stratified program P, its semantics - /Up - is defined as a fixpoint of Tp: 
Tp :: Program — >■ Env — >■ Env 

TplP-Psjfi = TplPsj{fi\p{y) ^ {THlPh){pm]) 

where P = p{y) B 

Th :: Predicate Env — > Env 

FHlp{y)^Bii, = M[Ky)^Ae-;%(j-G[GilMe:*)] 

' TgIGsM^ if ^gIGsI/xG = $ : $ 
J'G I G4] /i6 otherwise 
and B = Gi; G2,!, G3; G4 



w/iere 



J^G " Goal Env -> Conj^^ Con^^g 

:fgIgm = D 

J-Glpost((/>)]/x(e : 9) = trim{i{cp} n 6 : J-Glpost((/))lAie) 

j-Gb(^)lM(e : 6) = a py.A M p(?7) a Px,j([e]))))ne : ^Gb(^)lMe 

where p{y) € dom{ii) 
and vars{x) fl vars{y) = 
J-g[Gi,G21M0:0) = J-GlGslM-^cttWe : 6)) 

Observe that given a stratified program f = Pi U . . . U P„, J^p is monotonic, under 
our sub-sequence order, within each stratum Pj. By Tarski's theorem, J^p|Pi] has 
a least fixed point, /xp can therefore be defined as the result of evaluating all strata 
in order from lowest to highest, starting with and then taking the least fixed 
point of the previous stratum as input to the evaluation of the next stratum. 

The crucial part is in J^h, which updates the assignments in the success en- 
vironment and refiects the possible indeterminacy in a predicate by splitting the 
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resulting sequence up into the possibility resulting from executing Gi and that re- 
sulting from either executing G3 or d, depending on the success of (t2- Given a 
call to a predicate, !Fg imposes onto each open possibility (i.e. each member of 
O) the constraints associated with that predicate in the given ^. The constraints 
are determined by the application of to that predicate, after first applying pro- 
jection and renaming operations required to match formal and actual parameters. 
Information about other variables, which is lost in that process, is recovered by 
intersecting the result of the predicate call with the previous state of computation. 
The effect of this is, that constraints on the variables that the predicate is called on 
are strengthened in accordance with its definition, while those on all other variables 
arc preserved. Given a goal of the form 'post((/))' or 'Gi, G2', To does what you 
would expect: In the former case, it imposes (j) onto each open possibility in the 
current state of computation, filtering out those possibilities which fail as a result. 
In the latter case, it successively evaluates Gi and G2 . Notice further that given an 
empty sequence (i.e. a failed state of computation), simply returns an empty 
sequence, regardless of its other parameters. 

Example 1 

To illustrate, suppose member ( A, S) and memberchk(A,S) are called at a point in a 
program where there is only one possible set of bindings O = = SAiS = [3, 2, 3]}. 

FGlmember{A,S)l fi [9] = [0 n i{S = [A\_]} , 0] 
J^Glmemberchk{A, S)} /z [6] = [6 n 4.{5= [^|_]}] 

3.2 Success set semantics 

For the purposes of the determinacy inference, a coarser representation of the con- 
straints under which a goal can succeed is given by the following pair of functions. 

Definition 2 

For a given program P, Sq ■ Goal Con^ and Sr ■ Head — Con^ are defined as 
the least maps, such that: 

5Gipost(0)i = m 

where p{y) ^ B E P 
and vars{x) fl vars{y) = 
SGlGi,G2j = 5G[Giln5G[G2l 

SHlpm = iMSGlGijuSGlG2,G4uSGlG4) 

where p{y) ^ B G P and B = G\ ; G2 , ! , G3 ; G4 

Example 2 

To illustrate consider again member and memberchk: S G\memherchk(^A^ S)\ = 
SclmemberiA, S)} = i{S=[A\_]} U i{S=[., A\_]} U i{S=[., ., ^|.]} U . . .. 

Theorem 1 states that 5 is a sound over-approximation of 
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Theorem 1 

U TalGliipQ C (U 6) n SgIG\ Proof: See Appendix. 



3.3 Determinacy semantics 

With these in place, we can construct and prove correct a group of functions to de- 
rive a set of constraints which guarantee the determinacy of a goal in the context of 
a program P, its determinacy condition, henceforth abbreviated to 'dc'. As before, 
the context is provided as an environment: A determinacy environment (6) is a map- 
ping from predicate heads to Con^: DEnv ::= Head — >■ Con^. Again, S[p{y) i->- O] is 
an update operation. As above, the set Ep of determinacy environments for a pro- 
gram P is partially ordered point-wise by: di C 62 iff ^'p{y)-{5i{p{y)) C 52{p{y)))- 
The lattice {Ep, C, ^t, FI) complete, with: 

5x_ = Xp{y). {false} 5t = Xp{y)-i{true} 

(5i U (52 = S3 such that \/p{y) e heads{P) ■ (Ssipiy)) = Si{p{y)) U 52{piy))) 
n (52 = 63 such that Vp(j?) G heads{P) ■ i63{p{y)) = h{p{y)) n 52{p{y))) 

And again, |J and H are lifted to sets in the normal way. 

Definition 3 

The determinacy semantics - (5p - of a program P is the greatest fixpoint of I?p|P]: 

Dp :: Program — )■ DEnv — )■ DEnv 

VpielS = 5 

VpIP-Ps15 = VplPsmp{y)^{VHlPmP{y))]) 

where P = p{y) <— B 

Vh Predicate DEnv -?■ DEnv 

VHMy)^B}S = S[p{y) ^ly^iValGilS 

n{SGlG2j^VGlG3jS) 

n2?GlG4Mneine2)] 

where 61 = muxiSclGij, SgIG^J) 
and 62 = muxiSclGil SgIG2, G3}) 
and p{y) ^ Gi ; G2 , \ , G3 ; G^ e P 

Vg ■■■■ Goal DEnv Con^ 

VGlpost{ct>)l5 = \{true} 
VGlpim = ipj,jVj;(^(p(y))) 

where p{y) G dom{6) 
-DgIGi, G2M = (Sg[G'21 ^ VgIG46) n {SgIGi} ^ VgIG2}S) 

Given a goal of the form 'post((/))', 2?g returns l{true} since the goal cannot 
introduce indeterminacy in the computation. As before, given a predicate call, Vg 
applies the projection and renaming necessary to match parameters before calling 
Vh- Notice that the projection used here is V, since an under-approximation is 
required to derive a sufficient condition. Vh maps predicates defined in cut normal 
form to a condition that entails: (a) the dc for Gi, (b) the dc for G3 weakened by the 
success set of G2 - the intuition here being that the dc for G3 will only be relevant 
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if G2 can succeed and therefore its dc can be weakened by the success set of G2 - (c) 
the dc for G4, and finahy mutual exclusion conditions for the two possibilities arising 
from the structure of the predicate definition. (The case that needs to be excluded 
is that of Gi succeeding and subsequently G2 and G3 succeeding or subsequently 
G2 failing and G4 succeeding.) Finally, when given a compound goal 'Gi, G2', T^G 
returns a condition that entails both the dc for G2 weakened by the success set 
of Gi and the dc for Gi weakened by the success set of G2. The intuition here 
is, that the temporal order of execution is irrelevant. Weakening the dc for G2 by 
the success set of Gi is intuitive, since one can safely assume that Gi will have 
succeeded at the point when determinacy of G2 needs to be enforced. But similarly, 
when enforcing determinacy on Gi, one can safely assume that G2 will succeed, 
since both Gi and G2 need to succeed for the compound goal to succeed. 

Example 3 

Consider again member and memberchk. Observe that Vq \memher{A, 5)] 5 = {false\ 
since mux{SG\Gi\, Sc\G4l) = {false} is a component of 'DH\niember{X , L)\5, 
where Gi = {L = [X\J\) and Gi = {L = member(X , Li)). member is therefore 

inferred to be non-deterministic for exactly the right reason: There is no ground- 
edness condition on its parameters such that only one of its clauses can succeed. 
'DGlmemberchk{A, S)l S =1 p{j,3\/Tj{-l{true} D {SGlmember^A, S)J — ?• -l{true}) D 
X{true} n mux{{false}, {false}) fl mux{{false}, SGl'member{A, S), trwe])) 
= ].{true} 

The crucial observation here is, that "DGlniember^A, S)l S is not required in this 
construction at all; memberchk does not simply inherit its condition from member. 

Theorem 2 states that, in the context of a stratified program P, the condition given 
by DclGJcJp is indeed sufficient to guarantee the determinacy of a call to G: 

Theorem 2 

If e C VgIGJSp then \TGlGjfip[Q]\ < 1 for stratified P (i.e. P = PoU...U P,,). 
Proof: See Appendix 



4 Abstraction 

In order to synthesize a determinacy inference from the above determinacy seman- 
tics, we systematically under-approximate sets of constraints with boolean formu- 
lae that express groundness conditions. Pos, however, is augmented with a con- 
stant for falsity, so as to express unsatisfiable r equirements. The abstr act domain 



{Pos±, j=, true, false, A, V) is a complete lattice (jArmstrong et all . 119981 ) and to de- 
fine the abstraction of a single atomic constraint we introduce: 

<^s(.^) ^ {Ai'"ars{x)nfix{6)) A^\J{vars{x) \fix{e))) V /\vars{x) 

For example, iid ^ A^c then a(^)(6') = A, while Q!{a.b.c) (^') = (A A^B A^C)y 
{A A B A G). Notice that finiteness is achieved by limiting the scope to a finite 
vector of variables x. A Galois connection can then be established thus: 
:: Gon^ — > Pos± -fg :: Pos± Con^ 

ag{Q) = \J{as{e) I G 6 A M false} jsif) = [j{e G Gon^ \ asiQ) h /} 
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For instance, if 9 = \{A = c,B = d} then a{A,B){^) ^ AA B. 

The following two propositions and two axioms establish relations between the con- 
crete notions of implication, mutual exclusion and the projections and their abstract 
counterparts. (Notice that abstract implication is simply boolean implication.) 

Abstract Implication Proposition 1 establishes the link between concrete (— and 
abstract implication as follows: 

Proposition 1 

If 91 C 72(/i) and -fsih) ^ ©2 then 75(/i ^ /a) C 9i 92 Proof: See Appendix. 

Abstract Mutual Exclusion In order to construct an abstract mutual exclusion oper- 
ator we need to approximate elements of Con^. We do so with depth- A; abstractions 
which are finite sets 9^^ C Con such that each atomic constraint 9 of the form 
X = t occurring in 9^^ has a term t whose depth does not exceed k. From these 
we synthesize boolean requirements sufficient for mutual exclusion thus: 

mra?(9f^9f^) = vjAF 

Notice, again, that mMa;e(9f^, 9f ^) = true if either of 9f ^ or 9f ^ is {false}. 
Example 4 

Consider mux^^^^^{{L^[]}, SclGil^'^) where G4, ^ (L ^ [_\Li], member {X , Li)). 
If depth k = 3, then SalGil'^^ = {91,62} where 9i = [Li = [X\_] M ^ [_\Li]) and 
6»2 = (Li = [-,X\_] AL = [-\Li]). In this situation mux^^ ^^({L= []}, ^gIGJ^^) is 
LV{LAX) = L. 

Proposition 2 states how this abstract construction and the concrete one are related: 



Y C vars(x) A 

y9i e 9f ^ 92 e 0^"". (3 y (0i ) A 3 y (^2) = ±) 



Proposition 2 

75(mM2;S(9f ^, 9f ^)) C muxiOi, Qi) Proof: See Appendix. 
Abstract Projections Had we defined a specific concrete proj ection on single con- 



strain ts, we could synthesis abstract ones in the standard way (jCousot and Cousot 



19791 ). However, since both concrete projection operators on C on^ are defined in 



terms of an arbitrary projection on single constraints, we follow Giacobazzi ( IQQSl 



Sect. 7. 1.1) in simply requiring the following to hold for any such projection: 

Mlif)) C 7(5 (/)) 7(V^(/)) C V5(7(/)) 

In addition to the above two axioms, a requirement on the relation between concrete 
and abstract renaming functions in the context of universal projection is stipulated: 
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4-1 Abstract success semantics 

The last construction that needs to be abstracted in order to mechanise the deter- 
minacy semantics presented above is the success set construction S. 

Definition 4 

The abstract success semantics is defined as the least maps Sq, S'^ such that: 

where p{y) ^ B € P 

where p{y) i- B € P and B = Gi ; G2 , ! , G3 ; G4 
Proposition 3 formaUses the connection between and its concrete counterpart: 

Proposition 3 

SgIG} C ^,ars(G){S^lG\) Proof: standard. 

Depth- fc abstractions can be derived analogously to groundness dependencies and 
therefore we omit these details. 



4-2 Determinacy inference 

Finally, an abstract determinacy environment ((5") is a mapping from predicate 
heads to Boolean formulae representing groundness conditions on the arguments 
of the predicate sufficient to guarantee determinacy of a call to that predicate: 
ADEnv ::= Head Pos±. As in the case of determinacy environments, the set 
of abstract determinacy environments for a given program (Ep) is partially or- 
dered point-wise by C Sf iff yp{y).{Sf{p{y)) \= S^{p{y))). The lattice {E'^,^ 
, 5" , 5" , y, PI) is complete, where = Xp{y).true, (5" = ^p{y) fo.lse and [J and \~\ 
are constructed analogously to the case of concrete environments. For a given pro- 
gram P, its abstract determinacy semantics - Sp - is defined as the greatest fixed 
point of Dp [P] 5", where Vp is given by the following construction which, unsur- 
prisingly, is very similar in structure to the definition of 2?p: (We write {SalG})^^ 
as Sg^lGj.) 



Definition 5 



RedAlert 

Vp :: Program ADEnv ADEnv 

where P = p{y) <— B 
V% :: Predicate ADEnv ADEnv 

A(5S[G2l ^I^SlGsin 
Al?g[G4M«A/iA/2] 
where h = '"«C(ff)(^G''IGil, 5^^IG4l) 

and h = ^^Ccynl^G^'IGil, 5^^IG2, G3I) 

and B = d; G2,!, G3; G4 
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:: Goal ADEnv Pos± 
Pg|post(0)](5" = true 

where p{y) € dom{S°') 
VUGi, = (5g[G2l ^ PglGiM") A (^g[Gil ^ P^IG^M") 

Theorem 3 states that each parallel application of Pp and Vf, preserves the cor- 
respondence between the dc and its abstract counterpart and Corollary 1 states a 
direct consequence of this, namely that the same correspondence holds between the 
greatest fixpoints of these constructions. 

Theorem 3 

Vz e N : 7„ar.(G)(2^SlGMf) C VgIGIS^, where (5f (resp. 5,) are the results of i 
applications of 2?p|P] (resp. PpjP]) to 5" (resp. (5t). Proof: See Appendix. 

Corollary 1 

Ivarsioi'DUGlSf) C VgIG\5p Proof: Straightforward. 

These two statements establish, in effect, that 5f, is correct with respect to (i.e. is a 
sound under-approximation of) 6p. The significance of this is, that the correctness 
of 27g|G](5p as a determinacy condition for G, which was proved in the last section, 
is carried over to PglGJ^p. Since the latter is finite and can be mechanised, an 
implementation is therefore proven to give a correct (if possibly overly strong) 
determinacy condition for a goal G in the context of a stratified program P. 



5 Implementation 



The determinacy inference specified in the previous section is realised as a tool 
called 'Red Alert', using a simple bottom- up fixpoint engine in the style of those 
discussed by ICodish and SondergaardI (|2002l) . Boolean formulae are represented in 
CNF as lists of lists of non-ground variables. In thi s way, renaming is strai ghtforward 
and conjunction is reduced to list-concatenation ( Howe and Kind . 2001 ). However, 
disjunction, implication and existential quantifie r elimination are performed by enu- 
merating prime implicants (jBrauer et al.l . 120111 ) , which reduces these operations to 
incremental SAT. T he solver is called through a foreign language interface following 
Codish et al. ( 20081 ). It is interesting to note, that we have not found any of the 
benchmarks to be non-stratified, though even if this were the case, a problematic 
cut could be discarded albeit at the cost of precision. 

In the case of the memberchk predicate mentioned in the introduction, the im- 
plementation does indeed infer true as its determinacy condition, as desired. To 
discuss a more interesting case, consider the partition predicate of quicksort. 

pt([], [], []). 

pt([X I Xs] , M, [X I L] , G) :- X =< M, ! , pt(Xs, M, L, G) . 
pt([X I Xs] , M, L, [X I G]) :- pt(Xs, M, L, G) . 



The method presented in iKing et al.l ( 20061 ) handles this cut by enforcing mono- 
tonicity on the predicate. To this end, the negation of the constraint before the cut 
[X > M) is conceptually added to the last clause and the cut then disregarded. The 
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benchmark 


org 


new 


impr 


mean 


benchmark 


org 


new 


impr 


mean 


asm 


44 


157 


5 


0.6 


peval 


108 


14 


2 


1 


crypt_wamcc 


11 


12 


2 


2 


nandc 


12 


5 


2 





semi 


22 


19 








life 


10 


11 


7 


1.85 


qsort 


3 


1 


1 


1 


roup 


16 


5 


4 


1 


browse 


15 


7 


1 


2 


tsp 


23 


2 


10 


1.4 


ga 


58 


102 


2 


1.5 


flatten 


27 


25 


6 


1.5 


dialog 


30 


11 


3 





neural 


34 


23 


3 





unify 


26 


33 


3 


1.33 


nbody 


48 


34 


11 


2 


peep 


20 


189 








boyer 


26 


95 


4 





read 


42 


89 








qplan 


65 


41 


7 


2.57 


reducer 


31 


57 


9 


2 


simple_analyzer 


60 


50 


9 


2.22 



Table 1. Comparison 



groundness requirement inferred in this way for pt{w, x, y, z) is {w Ax)\/ {x Ay A z). 
The determinacy condition inferred for the same predicate by the method presented 
in this paper is: w A{y\/ z), which is clearly an improvement, though still sufficient. 
Improvements similar to this can be observed when analysing a number of bench- 
mark programs. Table 1 summarises the results of this comparison on 22 bench- 
marks (which are available at http: //www. cs .kent .ac.uk/people/staff/ amk/ cut - nor mal- f orm- benchmarks . zip [ ) . 
Under 'org' is the number of predicate definitions in the original program. To give 
a measure of the impact of the cut normal form transformation, under 'new' is the 
number of new predicates introduced by it. Under 'impr' is the number of predi- 
cates in the original benchmark (excluding any newly int roduced one s ) on which 
the determinacy inference is improved by our method over IXing et al.l |2006[) . Un- 
der 'mean' is the mean size of improvement (i.e. the mean number of variables 
which occur in the previous determinacy condition but not in the new one). The 
results show a uniform improvement. Note that randc, dialog, neural and boyer give 
precision improvements but no determinancy conditions are inferred which involve 
strictly fewer variables. The runtime for the groundness analysis, the depth-fc analy- 
sis and the backwards analysis, that propagates determinacy requirements against 
the control flow, are all under a second for all benchmarks (and not even SCCs are 
considered in the bottom- up fixpoint calculations). However, the overall runtime 
is up to an order of magnitude greater, due to the time required to calculate the 
mutual exclusion conditions. This is because the definition of the abstract mutual 
exclusion in section 4 is inherently exponential in the arity of a predicate. This is 
currently the bottleneck. 



6 Related Work 



Determina c y infe rence and analysis As mentioned above. iLu and Kind (|2005[ ) and 



King et al.l (j2006l ) address the problem of inferring determinacy conditions on a 



predi cate. Since the ir limit ations have been discussed above, we will not repeat them 
here. Dawson et al. ( 1993h present a method for inferring determinacy information 
from a program by adding constraints to the clauses of a predicate which allow 
the inference of mutual exclusion conditions between these clauses rather than 
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determinacy conditions for a whole predicate. ISahlinI (|1991l ) presents a method for 
determinacy analysis, based on a partial evaluation technique for full Prolog which 
detects whether there are none, o ne or more than on e ways a goal can succeed. This 



appro ach has been developed by iMogensenI (|l996f ) (see below) . iLe Charlier et al 



(|1994I ) present a top-down framework for abstract interpretation of Prolog which is 
based on sequences of subst i tution s and can be instantiated to derive an analysis 
equivalent to that of ISahlinI (|l99l[ ). 



Denotational semantics for Prolog with cut iMogensenI (jl996l ) constructs a deno- 
tational semantics for Prolog with cut based on streams of substitutions as the 
basis for a formal correctness argument for the determinacy analysis. The problem 
of constru cting a denota ti onal semantics for Prolog with cut has b een a ddressed 
before by iBillaudI |l990[ ). lOebrav and Mishral JlQSSi) and Ide VinkI |l989l ) a good 
20 years ago, around the same time that Apt et al. ( 19881 ) first publish ed their 
theory of non-monotonic reasoning, introducing the idea of stratification. Billaudl 
([l990|) constructs an elegant denotational semantics based on streams of states 
of computation and prove s it correct with respect to an operational semantics. 
Debray and Mishra ( IQSSi ) construct a more complex semantics over a domain of 
sequences of substitutions, comparable to our Con^^^, which is partially ordered, in 
contrast to Conj^^, by a prefix-ordering, rather than a sub-sequence-ordering. Both 
proceed by first defining a semantics for cut-bcc Prolog and then extending it to 
cut. In both cases, they argue monotonicity for the former of th ese construction s 
and appear to assume that it carries over to the latter. Finallv IdeVinkI |l989f) . 
too, presents a denotational semantics of Prolog with cut. His approach is probably 
closest to ours, using environments to represent the context provided by a p rogram 
in a similar fashion. However, as in the case of iDebrav and Mishral ( 19881 ). no ar- 
gument is provided for the monotonicity of their semantic operators, which casts 
some doubt over the question whether the semantics is well-defined. Common to all 
these approaches is the view of cut as essentially an independent piece of syntax. 
This view requires cut to be treated on a par with success and failure, having an 
evaluation by itself, which creates the need for complex constructions involving the 
introduction and later elimination of cwi-fiags into the streams or sequences, to se- 
mantically simulate the effect that cut has on a computation. In contrast, we view 
cut as essentially relational. In our view, a cut has no semantics of its own, but 
only affects the evaluation of the goals in the context where it occurs. This reliefs 
us of the need for systematically introducing and eliminating cwi-flags. 



7 Conclusions 

This paper has presented a determinacy inference for Prolog with cut, which treats 
cut in a uniform way, while being more elegant and powerful than previously ex- 
isting methods. The inference has been proved correct with respect to a novel 
denotational semantics for Prolog with cut. We have demonstrated the viability 
of the method by reporting on the performance of an implementation thereof and 
evaluating it against a comparable existing method. 
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8 Appendix - Proofs 

8.1 Con^^q is a complete lattice 

8.1.1 Relation on Conj^^ is a partial order 

The relation is reflexive: O C 

Observe that : V6 £ Conj^^^Q C^^ 6 A 6 € Sub^^^) 

hence VO G Con^giQ C 0) 
by selecting $ = 9 

The relation is transitive: 9i C 02 A O2 E ©3 ©i !^ 63 

Vei, ©2, ©3 e Co?Z,^e5((01 E ©2 A ©2 g ©a) ^ (©1 E ©3)) 

/ei \ei\ = l, |92| = m, |93|=n, 

I < m < n 

(81 c 82) ^ 3$i e 5u6K02) (0i $1) 

(92 E ©3) ^ 3$2 G 5«6„(03).(02^Cj,„_^$2) 

smce ©2 Cp„ $2 awe? 3$i G S'm6/(©2).(9i Cp^ $i) : 3$3 G S'm6/($2)-(©i 

hence 3$3_e 5w6;(03).(0i Cp„ $3) 
therefore ©i C 93 

The relation is anti- symmetric: V9i, 92 G Cowjg^(0i E ©2A©2 E ©1 — > ©i = 

let |©i| = m. |©2l = n 

(01 E 02) G Subm{Q2) such that ©i Cp^ $1 

(92 E 9i) 3<i2 G 5'm&„(©i) sMc/i i/iai ©2 Cp^ $2 
|$i| = m and \'^i\<n hence m < n 
\$2\ = n and |$2| < 'm hence n < m 
hence m = n (by anti — symmetry of <) 
hence $1 = ©2 and $2 = ©i 
hence ©1 Cp^ 92 and 92 Ept« ©1 
therefore : 

©1 = ©2 ani* — symmetry of Cp^) 

SJ.^ T/ie meet of two sequences is unique and therefore well defined: 

First note that by the definition of n, n $ E © and n * E 
Then show: V0, f G Conj^^ :fE0AfE*^>fE(0n*) 

|0| = n, 1^1 = m, |f| = k 
fE©-^30i G 5M&fc(0).(f Cp^ 0i) 
fE'^^3*i G ^M&fc(^).(f Cp„ *i) 
|0i| = fc, l^il = A; 

assume (without loss of generahty): n > m, then: |9n^| = /, I < m 

since F E 9 and T Q'^ , k < m [and k < n) 

since T Cp^ 9i and T Cp^ T Cp„ (9i Hp™ *i) 
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hence f □ (61 Hp™ *i) 
(*i e Suhk{^)) (^1 E *) 
(Gi e 5M6fe(e)) ^ (91 □ 9) 

(9i np„ *i) G {1 np„ *i I 1 e 5M6fe(9)} (smce 9i G 5'u6fc(9)) 

(9i rip^ *i) Cp^ Up^{^ *i I 1 G 5M6fc(9)} 

{note that since T G Conj^^, T does not contain {false} 

and since T Cp„ (Oi rip^ "^i), ©1 flpu, does not contain {false} 

hence (9i Cipw ^i) = trim{Qi flp^ ^'i)) 

(9inp,, *i) g (9^n*i) 

(9 n *i) □ (9 n {since $1 C $ and n is monotonic) 
therefore f C (6 n $ ) 



Cut-normal form 

We transform Prolog predicates that are defined by any number of clauses, none of 
which contains a disjunction, into this form by constructing Gi, G2, G3 and G4 as 
follows: 



If no clause precedes the clause containing the first cut, set G\ to 
post (/a/se). 

Else, if a single clause precedes the clause containing the first cut, set 
Gi to the body of this clause. 

Otherwise, define an auxiliary predicate to wrap up all clauses preceding 
the clause containing the first cut and set Gi to a call to that predicate. 

If there is no cut in the predicate, set G2 to post(/aZ,se). 
Else, if no atom precedes the first cut, set G2 to post(irMe). 
Otherwise, set G2 to the compound goal before the first cut. 

If there is no cut in the predicate, set G3 to any goal, e.g. post(inie). 
Else, if no goal follows the first cut, set G3 to post(irwe). 
Else, if the compound goal following the first cut does not contain an- 
other cut, set G3 to that goal. 

Otherwise, define an auxiliary predicate to wrap up the compound goal 
following the first cut and set G3 to a call to that predicate. 

If no clause follows the clause containing the first cut, set G4 to 
post(/afee). 

Else, if a single, cut-ime clause follows the clause containing the first cut, 
set G4 to the body of this clause. 

Otherwise, define an auxiliary predicate to wrap up all clauses following 
the clause containing the first cut and set G4 to a call to that predicate. 
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8.3 Theorem 1: [j{J^GlGjfip@) C U(e) n SgM 

Notice first that the following things hold: 
U(^) C [j{tnm{^)) 

4(9 u = 4B u 4,$ 
4(6 n $) = 49 n ;$ 
|5(eu$) = %(e)u|j;($) 
%(en<i>) c3j(e)n%($) 

Px,y{Q n $) cj35_je n ps,g^ 

35(43^(9)) = 3,^(6) 

Proof by induction on length of O: 

Base Case: 6 = [] 

U(^gIg1/xp[]) = U([]) = 
U(D)n5G[Gl=0n5G[G'l = 

0C0 

therefore: [jiJ^clGM) C n SgM 
Induction Step: 

Assume: \JiTGlGjfip&) C U(e) n SgIG] 
Show: U(-^GlGl/ip(e : 6)) C U(e : 9) n SgM 

Induction on structure of G: 

Two base cases: (1) G = post(^), (2) G = p{x) 

(1) G = post(<^) 

Assume: U(-^Glpost(<^)lMpe) C U(e) n 5Glpost(0)l 
Show: U(-^Glpost(,/.)lMp(e : 9)) C U(e : 9) n 5Glpost(<^)l 
U(9:9)n^Glpost)(0)l 

= (9 n ^Glpost(0)l) u (U(9) n 5Glpost(<^)l) 
= (9 n m) u (U(9) n 5Glpost(,^)l) 

U(-FGlpost(</))lAip(9:9)) 
= [j{tnm{m n e : ^G[post(0)l/ipe)) 
CU(4{0}n9:^Glpost(0)l/ip9) 
= im n 9) U U(^Glpost(<^)l/xp9) 

c n 6) u (U(9) n 5G[post(0)l) 

therefore: U(^G[post(</))lMp(e : 9)) C U(e : 9) n 5G[post(<^)l 

(2) G = p{x) 

Assume (without loss of generality): p{y) Gi; G2, !, G3; G4 G P 

Assume: [j{TGMx)j^ipe) C U(9) n SgMx)} 
Show: U(-^Gb(^)l/^p(9 : 9)) C U(9 : 9) n SgMx)} 
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\j{Q■.Q)r^SGlp{x)l 
= (6 n SaMm u (U(e) n SaMm 
= (e ni95,5%(5ffb(y)l)) u (U(0) n SoMm 
= (e n4Pj;,5%(43|;(5GlGil u 5gIG2, G3I u SgIG4))) u (U(e) n ^Gb(f)l) 
= (e n k^5%(5gIGi1 u ^cIGa^Gsl u 5gIG41)) u (U(e) n ScMm 

u{\j{e)nSGMm 



where ^ = 



U(-FGb(x)lMp(e : e)) _ 

: [ji^p^,s3^i^l ip{y)) K^i7%([e])) n e : TcMm^^) 
■ {[J{^y,sM^t_{pm ^s,yMm))) n e) u U(-^Gb(af)lMe) 

: (U(4p?,23g(43,(7-G[GilM[e'] : *))) n 6) U U(-^Gb(^)l/«0) 

^GlGslMi*] z/ ^GlG2lM[e'] = $ : $ 

^GlG4iM[e'] ^GlG2l/x[e'] = 

To be on the safe side, consider the sequence resulting from appending both possi- 

bihties for the union of which is certainly a superset of the above: 

C (U(4pff,535(^,(^GlGilM[e'] : J^GlGsim : ^GlG4l/z[e'])))ne)uU(^Gb(a;)l/xe) 

where # : ^ = TgIG2M'^'] 
Again, changing this to include all, rather than only the first, possibilities for 
J^gIG2]m[Q'] will result in a safe over-approximation, i.e. a superset of the above: 

^ (U(H-x-35(4a,(j^GlGii/x[e'] : j^gIG3M:fgIG2U&']) J-GlG4l/x[e']))) ne) 
u U(-^Gb(^)lMe) 

= (U(4p,-s3j;(^GlGilM[e'] : ^GlG^l/i(^GlG2l/i[e']) : FGlG,ue']))ne)u[j{FGlp{x)ji^^) 
= (U(K-53j7(^GlGilM[e']) : 4pg,5%(^GlG3l/x(7-GlG2lM[e'])) : te%(^GlG4lM[e'])) 

ne)uu_(-FGb(a?)lMe) 

= ((U(K^535(^GlGilM[e']))uU(4Pff,x%(J^G[G3lM(^G[G2lM[ei)))uU(4p,^ 

ne)uU(-^Gb(2^)lA^©) 

= (te3,KU(-^GlGilM[e']))U4pg,s%(U(^GlG3lM(-FGlG2lM[e'])))UH-235^ 

ne)uU(^Gb(^)lM©) 

since: U(-^GlGilA*[e']) C 5g[Gi1 n 9' 
and: [J{TgIG2MQ']) ^ 3^62} n 9' 

hence: U(-^GlG3l/i(-FGlG2l/i[9'])) C ^cIGgl n (5gIG21 n 9') 
hence: U(-^GlG3l/i(-FG[G2lM[9'])) C (5gIG31 n ^gIGzI) n9' 
hence: U(-^GlG3lAi(^GlG2lM[e'])) C 5g[G2, G3I n 9' 
and: U(-^gIG41m[0']) ^ 5gIG41 n 9' 

using these, therefore, the above superset of \J{J^gIp{x)}^p{Q ■ 9)) is a subset of: 

c ((4p^- 5%(5gIGi1 n9') u4jo^,5%(5g[G2, G3I n9')u4pff,535(5G[G4l n9')) n9) 

uU(-^Gb(^)lM9) 

since: 9' = ips,y3x{@), the following holds: Ip^^s^^iQ') = Ipg^s3^{lps,y3x{'d)) 
= ^x(e) D 9 

intersecting this with 9 therefore gives 9 itself: lpg,s3g{Q') H 9 = 9 distributing 
the projections and collecting and intersection the occurrences of ]p^^g3jj(@') and 
9 above therefore gives: 
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C {{\pg^33g{SGlG4)Ulp^,,3^{SGlG2, Gsj) U lPy,s3g{SGlG4)) H &) 

u(U(e)n^Gb(5)l) 
= U(e : e) n SgM^)! 

Induction Step: G = Gi, G2 

Assume: U(-^gIGi, GsImpO) C U(e) n SgIGu G2I 

And: [Ji^GlGijfiP^) C U(^) n ^cIGil 

And: U(-^gIG21mp^) Q U(*) n 5gIG21 

Show: Ui^GlGi, G2l/ip(e : 6)) C U(e : 6) n 5g[Gi, G2I 

U(e:e)n5G[Gi,G2l 
= (6 n 5g[Gi, G2I) u (U(e) n ^gIGi, G2I) 
= (6 n 5g[Gi1 n 5g[G21) u (U(e) n 5g[Gi, G2I) 

U(^GlGi,G2lMp(e:e)) 

= U(-i^G[G2lM(^G[GilM(e:e))) 

cU(-^GlGiiAi(e :e)n5GlG2l 
cU(e:e)n5GlGilnS'G[G2l 
-U(0-0)n5GlGi,G2l 

QED 



S.^ Theorem 2: For 6 e Gon^ and stratified P = Pq U . . . U P„; 

e C ValGjSp |7-G[GlMp[e]| < 1. 

8.4.1 Lemma 1: {J^gIGIiiQ) n * = 7"g|IG]m(© n *) 

Proof by nested induction on: 

1. n, 

2. |e|, 

3. structure of G 



1 Base Case: fi = fi± 

Show: (7-GlG]/x±e) n * = j-GlG]M±(e n *) 

1.1 Base Case: 9 = [] 

Show: (^gIG1m±D) n * = ^GlGl/xi([] n 
([])n* = 7-G[GlM±(D) 
[] = [] 

1.2 Induction Step: (9 : 9) 

Assume: {J^GlH}ti±e) n * = J-G|[iflM±(0 H 

Show: (7-g[G1m±(9 : 9)) n * = ^g[G1m±((9 : 9) n 

1.2.1 Two Base Cases: (1) G = post((/)), (2) G = 
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(1) G = post(<A) 

Show: (J-G[post(<^)lM±(e : 6)) n * = TGl90SX{(|,)\^l^{{@ : 6) n *) 

{Fal'postmii^iQ : 6)) n * = -FGlpost(0)]/x±((e : 9) n 

trim{i{(l)) n e : jrG[post(</.)lM±e) n * = JfG[post((/))lM±((e n *) : (6 n 

(tnm[4.{0} n 6] : Mm(J"G Ipost(0)];U_L6)) n * 

= trim{\{(j)} n 6 n * : J'G[[post(0)]^_L(e n *)) 
(inm[4.{(/»} n 6] n : (<nm(J'G[Ipost((/))]/;i±e) n «') 

= inm[4.{(/)} n 9 n : Mm(J'G|post(</>)lAt_L(9 n 
by assumption:(J"Glpost((/))]/i_Le) n = J"G[post((/))]^±(9 n 
<hm(J"Glpost((/))]/ii9) n * = tnm(J^Glpost((/>)]/x_L(9 n *)) 
tnm(4.{(^} n 9) n ^' = trim{i{(j)} n 9 n *) 

(2) G - p{x) 

Show: (J-Gb(2:)l/x±(9 : 9)) n * = ^Gb(f)lM±((0 : 9) n *) 
(J^Gb(5_)lM±(e:9))nvI/_ 

= (4y9j;,53j;(^i(p(y)) K-,j;35([9])) H 9 : 7-Gb(f)lM±0) H * 

= n 9 : J-Gb(f)lM±0) n M/ 

= ([]):(-^Gb(^)lM±e)n* 

by assumption: (J'g|p(^)1m_l0) n * = J'GbCf )lAt±(9 n 

^Gb(^)lM±((e:9)nvi/) 

= j-Gb(f)lM±((e n *) :_(9 n f )) 

= \pJ;^3M^^Ap{v)) \p3,yM\^ n *])) n 9 n * : TgMx)\ii^{Q n *) 
= ([]) :^Gb(f)lM±(envi/) 

hence: (J-Gb(f)lM±(e : 9)) n * = J-Gb(^)l/«±((0 : 6) n *) 
1.2.2 Induction Step: G = d, G2 

Assume: (J-g[Gi1m±(9 : 9)) n * = .Fg[Gi1/x±((9 : 9) n *) 

And: (-Fg[G21m±(9 : 9)) n * = -FgIG21m±((9 : 9) n *) 

Show: (.FgIGi, G21m±(9 : 9)) n * = ^gIGi, G2l/xx((9 : 9) n *) 

(.FGlGi,G2lM±(9:9))n* 

= (^gIG21m±(-^g[Gi1/x±(9 : 9))) n * 

= (-^G[G2l/i±(-^G[Gil/i±(9 : 9)) n *) 

= -Fg[G21m±(^gIGi]/xx((9 : 9) n *)) 

= J-G[Gi,G2l/i±((9:9)n*) 

2 Induction Step: ^ = /Xfc+i 
Assume: (J^Gl^fl/^fc A) n A = TalHliJiki^ n A) 
Show: (^G[GlMfc+i9) n * = ^G[GlMfc+i(9 n 
where /Ufc+i = J>|[P]/ife 



2.1 Base Case: 9 = [] 
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Show: (^cIGlMfc+iD) n VI/ = J^GlGjtik+i{[] n *) 

([Dn^^^cIGK+iCD) 
(D) = (0) 

2.2 Induction Step: 9 = (6 : 9) 

Assume: (JTcIGl^fc+ie) n * = jrG[GlMfc+i(e n *) 

Show: (7-G[GlMfc+i(e : 6)) n * = J^G[GlMfc+i((e : 6) n *) 

2.2.1 Two Base Cases: (1) G = post{(j)), (2) G = p{x) 

(1) G = post(0) 

Show: (J^G[post(0)lMfc+i(e : 6)) n * = J-G[post(</))l/Xfc+i((9 : 6) n *) 

(J-G[post(</.)lMfc+i(e : 9)) n * = 7-G[post(</-)l/Xfc+i((9 : 9) n *) 

tnm{i{<l>} n 9 : ^Glpost((/))l/ifc+i9) n * = ^Glpost((^)lMfc+i((e n *) : (9 n *)) 

{tnm[i{(j)} n 9] : Mm(J-G Ipost((/.)]/ifc+i9)) n * 

= tnm(;{<^} n 9 n * : J^G lpost(0)]/Xfc+i(9 n 

(tnm(4.{(/.} n 9) n : {trim{J^Gl90St{(t))}iJ.k+i&) n 

= trim{i{(j)} 9 0*): Mm(J'Glpost((^)];Ufc+i(9 n *)) 

by assumption: TGlpost{4>)lfik+iQ) n * = J"Glpost(0)]M;=+i(e n 

hence: ihm(^G [post((/))]Aifc+i9) n * = trim{J^Glpost{(j))}nk+i{& n *)) 

tnm(4.{(;i} n 9) n * = trim{i{(f>} n 9 n *) 

(2) G = p{x) 

Assume (without loss of generahty): p{y) Gi; G2, !, G3; G4 £ P 
Show: (7-Gb(^)lMfc+i(9 : 9)) n * = J'GMx)hk+ii{e : 9) n *) 

(.FGb(f)l/ife+i(e:9))n*_ 

= (4pj,s%(/ifc+i(p(y)) 4P£.j;l5([0])) n e : .FGb(.f)lMfc+ie) n 

= (4p5,s3g(Mft+ib(y)) lps,yM[Q])) n 9) n * : {J^Gb>{^)it^k+i&) n * 

j^Gb(^)lMfc+i((e:e)n*) 

= .FGb(_f)lAi/c+i((e n : (9 n *)) 

= {ip^,s3^{fik+i{p{y)) lps,yM[Q n n 9 n : (j-Gb(f)lMfe+i(e n *)) 

by assumption: (J"Gb(^)lMfc+iB) n = (J"Gb(^)lMfe+i(0 n *)) 
hence the question is whether the following holds: 

{^g,3^y{f^k+i{p{y)) ips^g3s{[&y)) n 9) n * 
= {iPy,^M^^k+l{p{y)) ips,yM[Q n *])) n 9 n *) 

(i>i;.x%(/ifc+i(?3(^)) 4p5,i735([9_n *])) n 9) n * 

= ^^,sM^yi^GlGih-ik lps,yM[<d n *])) : A)) n 9 n * 

v,here A = / -^GlGsl/Xfc [A] _ tf .FgIG^I/x^ 4P5,y3s([e H M/]) = A : A 

1 J-G[G4lMfc 4P£,?3s([9 n *]) J-G[G2lMfc_-L0x,?35([9 n *]) = [] 

= {lpg,sM^GlGijnk iPs,yM[^ n *]))) n 9 n *) : (4P5,£3ff(A) n 9 n 
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Observe thatjor any F: ip^^s^^iTalFllik \p3.,yMM)) = ^siJ^dFluk 43s([e])) 
henc_e: {\p^^3M^GlGll^ik \p3.yM[Q n *]))) n 6 n * 

= {^^{JGlGll^ik 4%([0 n VI/]))) n e n VI/ 

= {^^{TGlGl\^lk [435(6 n VI/) n 435(6)])) n 6 n * 

(since 435(6 n *) C 43^(6)) 
which by assumption is equal to: 

{BxiJ'GlGillik [^5(e)]|n 435(6 n_*)) n 6 n * 

= (435(435(^GlGilMfc [435_(6)]) n 435(6 n VI/)) n 6 n * 

(since 435(^ n B) ^si^xiA) n B)) 

= {BsiJ'GlGiyik [435(e)]) n ^5(e_n *) n e_n * 

Jsince 435(435(4) n 435(B)) = 435(^) n 435(S)) 
= (435(^GlGil/Xfc [435(e)]) n 6 n vf- 

(since 6 n * C 43^(6 n *)) 

= {\pg,3M^GiGiliik 4P5,535([e]))) n 6 n * 

by parallel reasoning: 

{\p^,sM^GlG4^^k 4y35,y35([e_n «-]))) n e n * 
= {\p^,sM^GlGiltxk 4p5,?35([6]))) n 6 n * 

also by parallel reasoning: 

{\p^,3M^GlG2\^ik 4p5,i;35([e_n ^))) n e n * 
= {\p^.3M^GlG2\^^k 4P5,j735([6]))) n 6 n * 

hence if {ipj;,33^{FGlG2Mk 4P5.|;35([e n *]))) n 6 n ^' = A : A 
and {\p^,3M^GlG2ll^k 4p5,y35([6]))) n 6 n = $ : $ 
then A = $ 

hence {\p^,sM^GlGsliXk [A]))) n n * = {\p^,3M^GlG^l^ik [$]))) n n * 
now sav f = I ^gIGM^ _ H ^G[G2lMfc \P3,vMm = $ : ^ 

^ ^ 1 :FGlG4tik \P3,yMm if ^G[G2lMfe \PS,yMm = [] 

then f = A 

hence: ^p^.s^yi^yiJ^GlGijiik 4f5,535([e n *])) : A)) n 6 n * 
= ip^,3M^y_i^GlGihk 4P5,535a0])) : f )) n 6 n * 
hence: {^^^3^^{fik+i{piy)) 4f 5.y35([6])) n 6) n ^' 

= (4pj,53|;(Aifc+i(p(^)) 4P5,y35([6 n *])) n 6 n *) 

therefore: {TGlp{x)jfik+i{e : 0)) n * = ^Gb(a?)lAifc+i((6 : 6) n *) 
2.2.2 Induction Step G = d, G2 

Assume: (^GlGilMfc+i(6 : 6)) n * = J^GlGi}iik+i{{Q : 6) n *) 

And: (J-G[G2lMfc+i(6 : 6)) n * = J-G[G2l/Xfc+i((e : 6) n *) 

Show: (7-g[Gi, G2lMfc+i(6 : 6)) n * = TgIGu G2lMfc+i((e : 6) n *) 

(^GlGi,G2lA*/c+i(6:e))n* 
= (^G[G2]//fc+i(-FG[Gi]/ifc+i(6 : 6))) n VI/ 
= (^GlG2lMfc+i(-FGlGilMfc+i(6 : 6)) n ^) 
= -FGlG2l/Xfc+i(-FGlGilMfc+i((6 : 6) n ^)) 
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= ^G[Gi,G2lMfc+i((e:e)nM/) 
QED 



8.4.2 Lemma 2: TgIGIijl[&\ = TalGMO f) SgIG}] 

Proof in two stages: 

(a) TgIGM^ n SclGj] E ^FalGM^] 

(b) J^gIGMQ] E J^gIGUQ n SalGj] 

(a) by monotonicity of To- 

[e n SalGj] c [6] J^gIGMB n SgIG}] c TclGMe] 

(b) J'gIGUQ] E J'gIGUQ n 5g[g1] 

Proof by nested induction on: 
1. 

2. structure of G: 

1 Base Case: J^GlGjn±[Q] E J'GlGjfi±[e n SalGj] 
induction on structure of G: 

1.1 Two Base Cases: (1) G = post(0), (2) G = p{x) 

(1) G = post((/.) 

Show: ^Glpost(0)]/i±[e] E -FGlpost(<^)]M±[e n Scl'posxm] 
.FGlpost(0)l/i±[e] - trim{[Qni{ct>)]) 

j-GlPost(</>)iM±[en5Glpost((/.)i] 
= trim{[e n 5G[post(<^)] n ;{</.}]) 

= trim{[Q f] i{(f)}]) 
= inm( [e n4.{0}]) 

(2) G = p{x) 

Show: J^Gb(^)lM±[e] E 7-Gb(^)lM±[e n SgIp{x)1] 
jFgIp{x)1,i^[Q] = [] 

j'^Gb(^)lM±[enSGb(^)l] = 

1.2 Induction Step: G = Gi, G2 

Assume: J-G[GilM±[ei] E ^G[GilM±[ei n 5g[Gi1] 

And: -FGlG2lM±[e2] E -FgIGsIa^^ [62 n 5g[G21] 

Show: ^gIGi, G2l/x±[e] E J'gIGi, G2U±[& n Sg[Gi, G2I] 

J'^gIGi, G2lM±[e] = J-G[G2lM±(-FG[GilM±[e]) 

by assumption: TclGilfi^iO] E -FGlGilM±[e n ^gIGiI] 

hence: -FG[G2lM±(^GlGil/z^[e]) E ^GlG2lM±(-^GlGilM±[e n SolGi}]) 

by assumption: 
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j-GlG2l/i±(-^GlGil/i±[e n SgIGiW) 
E -FG[G2lM±((-^GlGilM±[e n SgIGiW) n SgIG^}) 

by Lemma 1: (-FGlGilM±[e n SgIGi\]) n ^dCsl 

= ^GlGilM±[e n SgIGiI n ^gIGsI] 

hence: -FGlG2l/x±((^GlGilM±[e n 5gIGi1]) n 5gIG21) 

= ^g[G21/x±(7-g[Gi1m±[G n 5g[Gi1 n 5g[G21]) 

= J-G[Gi,G2l/i±[en5G[Gi,G2l] 
therefore: J-g[Gi, G2lM±[e] E ^gIGi, G2l/xx[e n Sg[Gi, G2I] 

2 Induction Step: 

Assume: FGlH\^lkm E J-G[i?lM/c[e' n ^gI^I] 
Show: TgIGIhu+i[Q\ E ^GlGlMfc+i[en5GlGl] 
where jik+x = TplPjuk 

induction on structure of G: 

2.1 Two Base Cases: (1) G = post(0), (2) G = p(f) 

(1) G = post(<A) 

Show: ^Glpost(0)lMfe+i[e] E^G[post(<^)l/ifc+i[en5G[post(0)l] 
where /Xfc+i = J"p|P]/ifc 

jrG|post((^)]/ifc+i[e] = trim{[e n 4.{<^}]) 
j^Glpost(0)i/ife+i[e n ^Glpost(,^)i] 

= trim{[e n ^Glposti,^)] n ;{</.}]) 

= trimde n 4.{0} n 4.{(?i}]) 

= trim{[e n i{4>}]) 

(2) G = pix) 

Assume (without loss of gcncraUty): p{y) -s— Gi; G2, !, G3; G4 G P 
Show: J-Gb(-?)l/-*/c+i[e] E ^Gb(^)lMfc+i[© n 5Gb(^)l] 
where: /i^+i = J"p|P]/ifc 

^Gb(^)lMfc+i[0n5Gb(^)l]_ 

= 4P5,53j;(/xfe+i(p(y)) ips^^Bsiie n ^Gbl-^')!])) n e n MpC^^)! 

I^k+i{p{y)) lPs,yM[<d n 5Gb(a;)l]) = ^^{J^gIGiUu lPs,yM[<d n 5Gb(x)l]) : *) 
where _ 

^ ^ f -FgIG31a*/c[<i>] _ if -FGIG2IM/C 4P5.j735([e n SGMm) - * : ^ 

1 .FGlG4l/ifc K-£35([e n ScMm) if J'clG^li^k 4P5,j3x([e n SgMx)}]) = 

now: SgIp{x)\_ = \p^,s'^^{SHlp{y)l) 

= 4p5,s%(435(5g[Gi1 U 5g[G2, Gsl U 5gIG41)) 

= 4y9j7,5%(5GlGil U 5gIG2_, G3I U SgIGJ) 

= 4y3ff,53g(5GlGil) U4p,-x%(5gIG2, G3I) U 4y3ff,x3j;(5GlG4l) 
(because 3 distributes over U) 
Since S'G|p(a;)] is the union of these three components, it is a superset of each of 
them, hence: 5g[p(J)1_3 \p^,s3^(SgIGi\) 
and: SgM^)} 2 K,s%(5gIG2, G3I) 
and: SgMx)} D lpg,,3g{SGlG4) 
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Intersecting each side with 6 preserves the order, hence: 6 fl SgIp{x)} D Q n 

K-5%(^gIGi1) 

and: 9 n SgMx)} DOH 4^^7,5% (^g I G2, G3I) 
and: 9 n SgMx)} D 9 n ipg^sB^iSalGij) 

Again, projecting and renaming both sides in the same way preserves the order, 
hence: ip:ij3s{Q n SgM^)1) 2 ipsjMQ n lp^j3^{SGlGij)) 
and: ips,yMQ n 5Gb(f )1) 3 4^5,1735(9 n 4^^7,5% (5g[G2, G3I)) 
and: 4^5,^35(9 n SoMm 2 Ipx^yM® n 4y3ff,23g(5G[G4l)) 
Now, since the following holds in general: 

4ps,j?35(ri n 4jOj7,s3j7(r2)) 2 ]ps,^MTi) n Ta, 

performing the same transformation on the above still preserves the order, 
hence: Ip^^M^ n 5Gb(f )1) 2 ips^M^) n ^cIGil 
and: 4PiH,j73s(9_n ScMm 2 ips,yMQ) ^ SgIG2, G3I 

= lps,yMQ) n 5g[G21 n 5g[G31 

and: ips,y3sie n ScMm 2 Ips.yM®) n 5g[G41 
by monotonicity of J-g , therefore: 

j-G[Gil/ifc lps,yM[Q n SGMm) 3 ^G[GilMfc[4P2,j3s(9) n 5g[Gi1] 

by assumption: TGlGMlps.^yMB) n 5gIGi1] □ TGlGM\ps,yMQ)] 
hence the following holds of the first part of the sequence: 

J'GlGljfik IpS.yMi^ n SGMm) □ TGlGljflk lpS,yM&] 

and Similarly: TclGilf^k lps-,yM[Q(^SGMm) ^ -^GlG4lMfc[4P5,5%(e)n5G[G4l] 
by assumption: TGlG4lnk[lPx,y^x{Q) n S'g[G41] □ TGlG4l^J.k[lPx,y^x{Q)] 
hence the parallel thing holds for the second possibility of the second part of the 
sequence: 

^GlG4lA*fc IPx.yMl^ n SGMm) 3 :FGlG4^^k IpS.yM^] 

As for the first possibility for the second part of the sequence, consider this: 
by monotonicity of J^g- 

$ : $ = ^G[G2l/ifc ]px,yM[e n SGMm) 

2 TGlG2hk[\Ps,yM^) n 5g[G21 n 5g[G31] 

by assumption: 

J'GlG2jiik[iPx,yM^) n 5g[G^1 n 5g[G31] 3 J-G[G2lMfc[4p5,ff35(e) n 5g[G31] 
by Lemma 1: TGlG2}fikHPx.y\{Q) n ^gIGSI] = J'GlG2hk[iPs;,yMQ] n ^g[G31 
hence: $ : $ □ J'GlG2hk[ips,yM'd] n 5gIG31 

now call the part of the sequence we are aiming for here A : A = J-"G|G2]/ifc \ps^jj3s{[Q]) 

then: $ : I □ (A : A) n S'g|IG31 

hence: [$] □ [An^'dGgl] 

hence: ^GlGal/Xfcl*] 2 -FGlGal/XfclA n IG3I] 

by assumption: J^GlGajf^klA n [G3I] 2 J^GlGsl/UfefA] 

hence: J^clGajlikm 2 J-G[G3lMfc[A] 

These last few lines show that each part of the sequence we are considering is 
greater than the sequence we are aiming for. Pulling these together, we arrive at: 

43,j(-FG[GilMfc ips,yM[&r)SGMm) ■■ *) 3 4H5(7-G[Gil/xfc ips,yMm ■■ A) 
where 
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andA=/ -^GlG3l/i,[A] _ z/ ^cIGal^^c 4P2,y3s([G]) = A : A 

therefore: fik+i{piy)) lps,y^x{['d n S'Gb(^)l]) 3 Mfc+i(p(y)) 4y05,j(35([e]) 
applying the same renaming and projection to both sides preserves the order: 

]Py,x^y{lJ,k+lip{y)) lpS,y^xi[Q SgM^W) 3 4/)g,s3j;(/ifc+i(p(y)) ips^^3s{[@])) 

now name these two sequences: 

lpg^sMf'k+i{p{y)) ips,yM[Q_n SGlpix)}])) = *' 
and: ip^^s3y{fik+iipiy)) Ips^^BsiM)) = A' 
and notice the following two facts: 

(1) A'ne = ^Gb(f)lMfc+i[e] 

(2) n SgMx)} n e = ^Gb(^)lMfc+i[e n SGMm 

then from above we have: A' C ^' 

hence: A' n 9 C 

by (1) and Theorem 1, therefore: |J(A') n = U(A' n 0) C 6 n SGipix)} 

hence: U(A') C SgHS)} 

therefore for each A' in A': A' C SgMx)} 

hence for each A' in A': A' n SgIp{x)} = A' 

hence: A' n SgIp{x)1 = A' 

hence: A' n 9 = A' n SgMx)} n 9 C ^' n SgM^)} n 9 
substituting using (2), we therefore arrive at: 

^Gb(^)l/xfc+i[9] E ^Gb(^)lMfc+i[e n SGip{x)l] 

2.2 Induction Step: G = d, G2 

Assume: ^GlGil/ifc+i[9i] C -Fg IGilMfc+i[9i n ^gIGiI] 

And: -FGlG2l/Xfc+i[92] Q -FcIGzlMfc+i [©2 n ^gIGzI] 

Show: J-g[Gi, G2lMfc+i[e] E J'gIGi, G2l/Xfc+i[9 n 5g[Gi, G2I] 

J-gIGi, G2lMfc+i[9] = -FGlG2lMfc+i(^G[GilA*fc+i[9]) 

by assumption: J^GlGilMfc+i[9] C J^GlGijiik+i[e n SgIGiJ] 

hence: J-G[G2lMfc+i(J-G[GilMfc+i[9]) C J-g[G2lMfc+i(J-G[GilMfc+i[9 n 5g[Gi1]) 

by assumption: 

J-GlG2l/Xfc+i(-FGlGilM;c+i[9n5GlGil]) E-FGlG2lMfc+i((-FGlGilMfc+i[9n5GlGil])n 
5gIG21) 

by Lemma 1: (J'^G[GilMfc+i[9 n 5g[Gi1]) n 5g[G21 = J-G[Gil/Xfc+i[9 n 5g[Gi1 n 

5gIG21] 

hence: ^G[G2l/x;c+i((-FGlGil/Xfc+i[9 n ^gIGi]]) n 5gIG21) 

= 7-G[G2l/xfc+i(J-G[GilMfc+i[9 n 5g[Gi1 n 5g[G21]) 

= .^gIGi, G2lMfc+i[9 n ^gIGi, G2I] 
therefore: ^g[Gi, G21m;c+i[9] E ^gIGi, G2l/Xfc+i[9 n Sg[Gi, G2I] 

Therefore since: (a) 7-G[Gl/i[e n 5'g[G]] □ J^gIGMQ] 
and (b) ^gIG1m[9] C J^g[G1m[9 n ^gIGJ], 



RedAleri 



31 



it follows that : I G] [6] = J^g I [6 n I Gl ] 
QED 

8.4.3 Proof of Theorem 2: For 6 e Con^ and stratified P = Pq U . . . U P„; 

e c VgIgjsp |jrG[GiMp[e]| < i. 

First notice that the following things hold: 

(1) e c ($ ^ ^ e n $ c 5- 

(2) e C mux{<^>, =^ (e n $ = {false}) V (9 n * = {Me}) 

(3) J-GlGlMOCUenScIGl 

for any /i constructed by application of ^p|P] to /i_L 

(4) v,^(enci>)_=vj(e)nvj_($) 

(5) e c 4pj7,sVj;($) => ips,^3sie) c $ 

This holds due to the following few lines of reasoning: 
^ 3^(6) (since 3 is extensive) 
if0^K,sV5(cl>) 
then 3s{Q) C 3g(4jO|;,5V5($)) 
(by monotonicity of 3) 

then lps,g3s{^) ^ \Px,y3s{-iPy,S^y{'^)) = 4Px, j7(^by,5VJ?($)) 

(by monotonicity of 4, p) 
iPx,yiPy,x cancel out and V is reductive, hence: 

(6) -FGlGlM[e] E J-GlGi/x(e:e) 

again for any constructed by application of ^p|[P] to n± 

(7) eice2^|ei|<|e2| 

Proof by nested induction on: 

1. /i, 

2. structure of G: 
1 Base Case: /u = 

show: e C l^GlGpp ^ |J-G[GlM±[e]| < 1 
Induction on structure of G: 

1.1 Two Base Cases: (1) G = post((/)), (2) G = p(x) 

(1) G = post(,^): 

Show: e C pGlpost((/.)Pp ^ |.FGlpost(0)]/Zi[e]| < 1 

.FG[post(0)l/ix[e] = Mm([4.{(/.} n 9]) 

hence: |.FGlpost(<^)]/xx[9]| = |<nm([4.{<^} n 9])| < 1 

(2) G = p{x) 

Show: 9 C Vclpm^P |.^Gb(y)lM±[0]| < 1 

^Gb(j?)lM±[0] = iPy,xM^i± {pm \ps,yMm) n 9 : [] 



32 



J. Kriener and A. King 



hence: ^Gb(y)lM± [©] = [] 
hence: |jrG|p(y)l/Xi[e]| = |[]| = 

1.2 Induction Step: 

Assume: Gi C PgIGiMp |-FG[Gil/x±[ei]| < 1 
And: 02 C PgIGsMp ^ I-FgIGzIm^IOs]! < 1 
Show: e C VgIG}5p ^ |.FG[GlM±[e]| < 1 

VgIGISp = (5gIG21 ^ PgIGiPp) n (5gIGi1 ^ PgIGsMp) 

e c PgIgMp ^ e c (5gIGi1 ^ i?gIG2Mp) ^ e n SgIgj c VgIg^I^p 
e c DgIgi^p ^ e c {SgIG^I ^ Dg[GiPp) ^ e n SgIg^I c DgIGiPp 

J-GlGl/ii[e] = J-GlGlM±[e n ^gIGI] (&y Lemma 2) 
FGlGyii_[Q n 5gIG1] = ^GlG2l/i±(-FGlGil/ii[e n 5gIGi, G2I]) 

e n ^-gIGi, G2I = e n ^-gIGi] n 5gIG21 c e n ^-gIGsI c VgIGi\6p 

hence by assumption: |7'G[Gi]/ij_[e n SgIGi, G2l]| < 1 

distinguish two cases: 

(a) \TGlGll^il.[Q n 5gIGi, G2l]| = 0, 

(b) |-FG[GilMj.[en5G[Gi,G2l]| = 1 

(a) |J-GlGilAii[en5GlGi,G2l]| =0 

^GlGilM±[en.SGlGi,G2l] = [] 

J^G[GlM±[e n 5g[Gi, G2I] = J-gIGsI/x^D = 

hence: |^GlGlM±[e n ^gIGi, G2l]| < 1 

by Lemma 2 (remembering G = Gi, G2): |7'GlG]A<_L[e]| < 1 

(b) |^GlGil/ii[e n ^gIGi, G2l]| = 1 
.FGlGilM±[en5GlGi,G2l] = m 

by Theorem 1: [j{TGlG^liii_[Q n ^gIGi, G2I]) 

cen5G[Gi,G2ln5G[Gil 

cen^GlGil 

hence: * C GnS'GlGi] 

hence: * C X>gIG21i5p 

hence by assumption: |J'G[G2]/i±[*]| < 1 

hence (again by Lemma 2): \TgIG21ii±{TgIGiIhi.[@ n 5g[Gi, Gsl])! 

= |^GlGlM±[en5GlGi,G2l]| 
= \FGlGl^il.[@]\ < 1 

2 Induction Step: 

Assume: X C VgWp \J^Gmi^k[X]\ < 1 
Show: e C VgIGJSp ^ |7-G[GlMfc+i[e]| < 1 
where Hk+i = J^plPjUk 



Induction on structure of G: 
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2.1 Two base cases: (1) G = post(^), (2) G = p{x) 
(1) G = post(0): 

Show: e C I?G[post((/))Pp ^ |.FG[post(0)]Mfc+i[e]| < 1 

j^G[post(<A)iMfc+i[e] = inm([4{<^} ne]) 

hence: |7-G[post(<^)lMfc+i[e]| = \trim{[\{<l)} f\ Q])\ < 1 
{2)G = p{x) 

Assume (without loss of generality): p{v) ^ Gi; G2,\, G3; G4 G P 
Show: e C VgIp{x)}5p | J-Gb(f)lMfc+i[e]| < 1 

•^Gb(^)lMfe+i[0] = 4pt/,5%(/xfc+i 4/35,j?32([e]))_n e 

hence: |7"Gb(f)lMfc+i[©]| = llpy^s^yifJ-k+i {p{y)) lpsj3s{[&]))r\e\ = |/ifc+i {p{y)) ips;,y3x{[@])\ 
and: ^Ufc+i ips.y^siM) = J^giJ^GlGiji^klps.y^siM) ■ ^) 

where ^ = / -^GlGslMfcl*] _ ^GlG2lt^k\p^,yMm) = * : ^ 

I ^G[G4lMfc4)0x,g35([e]) J'GlG2lflk-lPS,yMm = [] 

|^5(7-G[Gil/XfcK-y35([e]) : ^)| = \J^GlG4l^kipS,yMm ■ *l 

Show e C VGip{x)l6p ^ |^GlGi]Atfc4P£,A([0]) : *| < 1 in two steps: 

1 Show that each component cannot be longer than 1: 

la Show: e C VgIp{x)15p => iJ'clGil^ikiPcc.yMmi < 1 
lb Show: e C VgIp{x)}6p ^ iJ^clGiUkips-^yMim < 1 
Ic Show: e C VGlp{S)j6p ^ iJ^GlGMn < 1 
where J^GlG2jlJ.k ips,y^d[®]) = $ : ^ 

2 Show that only one component can be longer than 0: 

e C VgIp{x)}Sp => -(I J-G[GilMfc4P5,ff3j([0])l 7^ A 1*1 7^ 0) 
This is done thus: 
2a Show: 

e c VGlpimp ^ ^{\^GlGijtxkips,yM[m ^0A\^GlG4f^klps,yMm)\ + 0) 

2b Show: 

e C Vg\p{x)\Ep ^ -(l^cIGilMfeK- i;|5([e])| O a |^G[G3lMfc[*]| 7^ 0) 
w/iere 7 G\G2\pik\fix,y^xi^\) = ^> : ^ 

T^Glvij^¥p=\Py,Sy{^p{vm)) 

= 4p;7,4V,KiV5(2?GlGiMp n {Sg\G2\ ^ PcIGapp) n VgIG^^p r\Q^r\ 62))) 

= Vy,£Vj;(2?GlGipp H (^cIGal ^ PgIGsMp) n VgIG^^p n 81 n 62) 
w/iere Oi = mux{SGlGx\SGlG4) 
and 82 = muxiSGlGilSGlG2, G3I) 

= 4y95,sVj;(I?GlGil(5p) 

n4pff,xVg(5G[G2l^PG[G3Mp) 
n4y9j,2Vg(pG[G4Mp) 



34 



J. Kriener and A. King 



n \pys;i_y ( mux (5g I Gi 1 , 5g I G4I ) ) 

n \p~y,3iy{mux{SG I Gil , 5g I G2 , G3I ) ) 

la Show: e C VoM^Wp ^ \TGlGiyj.k\P3,^M[^])\ < 1 

e c VGMx)j6p ^ e c 4pj,5Vj;(PGlGii)(5p 

hence (by (5) stated above): ]ps^g3s{Q) C VgIGiJSp 
hence by assumption: \J^GlGijl^k-iPx,y^x{[Q])\ < 1 

lb Show: e C VGMx)jSp ^ \_^GlG4fiklps.yMm\ < 1 

e c VgMx)ISp ^ e c iPy,syy{VGlG45p) 

hence (again by (5) above): \p3^g3g{Q) C I?g[G4](5p 
hence by assumption: \J^GlG4l^kiPx,y^x{['d])\ < 1 

Ic Show: e C VGlpmSp => \J^GlG4fikm)\ < 1 
where TGlG2}^^klPx.y33{[<d]) = $ : $ 

e c VgMx)}6p ^ e c -V|7(5gIG21 ^ i^gIGs^p) 

hence (again by (5) above): ips,y3s{e) C (^gIGsI ^ I^gIGsMp) 

hence (by (1) stated above): Ip3^g3s{e) n S'gIG21 C PgIG^Pp 

by Theorem 1: U($ : ^) = U(-^GlG2l/XfeK-.|;35([e])) C -3£([e]) n .SGIG2I 

therefore (since $ C □(«> : $)): $ C 53£([e]) n 5gIG21 C PgIGsMp 

by assumption: | J'G|[G3]/ife[$]| < 1 

2a Show: 

e C VgIp{x)}Sp ^ --{\J'GlGlPklPx,yM[m ^0A\J'GlG4f,kiPx,yMm\ ^ 0) 

e C VclpmSp ^ C lpg^sy^(mux{SGlG4, SgIG4)) 

hence (by (5) stated above): 4y3x,y35(0) C mux{SGlG4, SgIG4) 

hence (by (2) stated above): 

{iPx,yMQ) n ^gIGiJ = {Me}) V ilps^^M^) n ^gIG41 = {false}) 
by Theorem_l: Ips^yBsiO) n ^gIGiI = {^e} ^ -FG[Gil/Xfe 4y95,i;3£([e]) = [] 
hence: ]ps,y3s{e) n 5gIGi1 = {false} ^ I^gIGiI/z^ gB^ae])! = 
similarly: lps,yM^) n 5g[G41 = {false} ^ J-G[G4lMfc 4p5,i73j([e]) = [] 
hence: \p3,s3s{Q) n 5gIG41_= {false} \TGlG4fik {ps^^3sim\ = 
therefore: (IJ^GlGil^fe 4P5,53£([e])| = 0) V i\TGlG4l^k{px,y3sm)\ = 0) 
hence: -((|^GlGil/Xfe 4p5,j735([e])| ^ 0) A (|-FG[G4lMfc 4y95,535([e])| 0)) 

2b Show: e C VgMxWp ^ -(|^GjGilMfcK-?3£([e])| 7^ 0A|J^GlG3l/Xfc[$]| 7^ 0) 
where J"G[G2]Atfc4y!Js,j732([e]) = $ : $ 

e C l?Gb(^)Mp ^ © C {p^,sy^{rnux{SGlG4,SGlG2, G3I)) 
hence (again by (5) above): lps^y3s{Q) C mMa;(5G|IGi], 5g|IG2, G3]) 
hence (again by (2) above): 

{lps,yMQ) n SgIG4 = {false}) V (4^95^^35(9) n 5gIG2, G3I = {Me}) 

by Theorem 1: $ C LK^cIGalMfc ips,y3silQ])) C ^5,^35(6) n 5g[G21 

by Theorem 1: [J{TGlG^}^lk [*]) C $ n ^gIGsI C lps,y3s{e) n ^g^GsI n ^g^GsI 

hence: U(-^G IGal^i^ [$]) C ,-35(6) n 5gIG2, G3I 

hence: ips-,y3s{e) n 5gIG2, G3] = {Me} ^ ^GlG3l/Xfc[$] - [] 
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hence: \ps,yM^) n SgIG2, G3I = {false} ^ l^cIGsl/ifc [$] I = 

also (by Theorem 1): \ps,g3sie)nSGlGij = {/a/se} ^ ^Gpil^fc 4p5,j;3£([e]) = [] 

hence: Ips^y^siQ) n 5g|Gi1 - {Me} => l^cIGil^fc 4P5,y3x([e])| = 

hence■.{\TGlGlj^iklps,yMm\ = 0) V (l^cIGsl/ife [*]| = 0) 

hence: -((I^gIGiI/z^ K-y^^ll©])! ^ 0) V {\J^GlG3^^lkm ^ 0)) 

2.2 Induction Step: 
G = Gl, G2 : 

Assume: Gi C VgIG^JSp => \TGlGlj^ik+l[&l]\ < 1 
And: 62 C VGlG2j5p I^FcIGsl/Xfe+iies]! < 1 
Show: e C VclGj => |^GlGlMfc+i[e]| < 1 
where /Xfc+i = J"p|P]/Zfc 

VgIGJSp = (^gIGzI ^ Dg[GiPp) n (5g[Gi1 ^ I^cIGapp) 
therefore if 6 CP^ I G^p 

then e C (5gIGi] ^ ©GIG2MP) 

and hence 6 n S'gIGiI C DgIGsMp 
similarly if 6 C Dg[G](5p 

then e C (5gIG21 PgIGiPp) 

and hence 6 n S'gIG21 C VgIGiJSp 
by Lemma 2: TGlGj^ik+l[e] = TclGlf^k+iie f) SgM] 
applying the definition of J-q '■ 

j^GlGjiik+iie n .SgIGI] = ^GlG2lMfc+i(^GlGilMfc+i[e n .SgIGi, G2I]) 

now notice that: 6 n ^gIGi, G2] 

= enSGlG4nSGlG2} 
cen5GlG2l 

C DgIGiMp 

hence by assumption: | J^G^GiJ/ifc+ifO fl SclGi, G2]]| < 1 

distinguish two cases: 

(a) \TGlG4fik+i[e n 5g[Gi, G2l]| = 0, 

(b) |J-G[GilMfc+i[G n 5g[Gi, G2l]| = 1 

(a) |J-G[GilMfc+i[e n ^gIGi, G2l]| = 

J^GlGlj^ik+l[enSGlGuG2^] = [] 

TGlGl^^k+i[e n ^gIGi, G2I] = -FcIGalMfc+iD = [] 
hence: \J^GlGjiik+i[& n SgIGi, G2j]\ < 1 

hence by Lemma 2 (remembering G = Gi, G2): |^G[G]/Ufc+i[6]| < 1 

(b) |-FG[Gil/ife+i[e n ^g[Gi, G2l]| = 1 

^GlGil/Xfc+i[en,SGlGi,G2l] = [M/] 

therefore: U(-FG[GilMfc+i[e n 5g[Gi, G2I]) = f 

by Theorem 1: * C 9 H ^-gIGi, G2I n SgIGi] C 6 n SgIGi] 

hence since 6 n 5g[Gi] C Dg[G2Mp (see above): * C VgIG2}Sp 

hence by assumption: |J^GlG2]/^fc+i[^']| < 1 
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hence (again using Lemma 2): | J'G|G2]Atfc+i(J"G[Gi]/ifc+i[e n SclGi, G2]])| 

= \JGlGl^ik+l[Qf^SGlGuG2^\\ 
= I^G[GlMfc+i[e]| < 1 

QED 



8.5 Abstraction Proofs 

8.5.1 Proposition 1: If Oi C ^^ifi) and 7s(/i) C 62 then 75(71 f^) C 61 ^ 62 

7x(/l ^ /2) 

= U{75(/)l/h/l^/2} 
= U{0|"5(©) N/1^/2} 

= U{© I («5(©) H A) ^ K-(e) H A)} 

= U{0 I (0 c 75(A)) ^ (e c 75(/2))} 
cu{0|(0^ei)^(ece2)} 
= U{0|(0^0in02)v(e^ei)} 
= U{0 I e c (61 n 62) u [Con \ 61)} 
= U{0 I enOi c 62} 

= 61 ^ 92 

8.5.2 Proposition 2: 75(mMa;?(ef ^, Of ^)) C mMa;(ei,e2) 

Proof: 

First notice that by the definition of the Galois connection (i.e. of 7() and a() the 

following: 75(m?i,T?(ef^,ef^)) C muT(ei,e2) 

is equivalent to: a5(*) ^ mMa;e=(ef ^, Of ^) * C muT(ei,e2) 

Now: Oxi'^) ^ m,uxg{Qi^ ,Q2^) iff for each clause in ax(*) there is a clause in 
mMa;|(ef ^, Of ^) that is entailed by it, ie: 
G *.3F C varsix).{\/9i G ef^.V6l2 G Of^. 

(3y ((?i) A 3y (02) = /a«se) A a5(^/') h A 
Since muxS (^Qi ^ ,Q§^) contains only positive (ie non-negated) literals, only the 
positive literals entailed by a3{tp) are relevant. 

Now, the positive literals entailed by as{tp) are exactly vars{x) rifix{tp). 
Therefore: V £ 75(mua;?(ef ^, Of ^)) 

iff 3y C {vars{x)r\fix{2p)).{Wi e ef^.V6'2 e e|^^,(3Y(6'i) A3y(6'2) =Me)) 

Now observe that the following three things hold: 

(1) V0 G ^3(j)' G $^'^(<?!) h 0') 

(2) ((A ^ A') A (A N /2IA (A A A' = /a?5e)) ^ A A A = /«fee 

(3) <^H</''^3y(</.)h3y(0') 

Therefore from V6'i G ef^.V6'^ G ef^.(3Y(6'i) A 3y(6l^) = /aZse) 
it follows: V6'i G ei.V6'2 G Q2.{3y{0i) aJy{02) = false) 
And thus: 3^(81) n 3y (62) = {false} 
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Hence the following entailment holds: 

V0.(3y C {vars{x)nfixi^)).(yf0i e ef^ V^a e ef^ i^YiOi) A3y(6'2) =Me)) 

h 

3r c/?x(0).(3y(ei)n3y(e2) = {Me})) 

Therefore: V(/-.((/) e 7ir(mMX?(ef ^, 9^^^)) ^ G mMa;(ei,e2)) 
Prom which it follows: 7s(mMa;f (Gf ^, Of ^)) C m«a;(ei,e2) 



8.6 Theorem 3: Vi e N : lvars{G){T^GlG¥t) C 2?gIG1(5, lo/iere 5f/5, are the 
results of i applications of V^\P\/'Dp\P\ to 5"/5t respectively. 

Proof by nested induction on: 

1. i, 

2. the structure of G: 

notice first that: 7wars(£)(P^,£V^(/)) C Py,S^y{-fyars(y)if )) 

1 Base Case: i = 

Xa _ <:a 
Oq — 0-|- 

So = St 

Show: J,ars(G){1^UG}S^) ^ ^^cIGpT 

Induction on structure of G: 

1.1 Two base cases: (1) G = post{(j)), (2) G = p{x) 
(1) G = post{(t>) 

lvars{4>){'DUP0StmST) 

= lvars(4>){true) 

= \{true] 

= ValpostmST 

hence: ■yyars{4>){1^UP0stmS^) C VGlpost{(t>)jST 
{2)G = p{x) 

7.ar.(5)(^Sb(£)MT) 

= lvars{x) {Pl^s'^yitrue)) 

Q Py,3^y{lvars(y){true)) 

= Py,x^y{\{true}) 

= vcMmT 

1.2 Induction step: G = Gi, G2 

Assume: 7varsiG,,,)i'DUGi/2jS^) C 1?g[Gi/215t 

lvarsiGuG,){T^UGl,G2jSf) 

= 7.ar.(G„G.)((5gIG2l ^ VUGijd^) A (^glGil 2?SlG2l<5^)) 
(by monotonicity i.e. 7uars(Gi,G2) 

(/l A/2) C 

C (^gIGsI ^ 2?gIGiMt) n (5gIGi1 ^ PgIG2Mt) 

(by Proposition 1 and Proposition 3 and the induction assumption) 



38 

= I?gIGi,G21(5t 



J. Kriener and A. King 



2 Induction step: i = k + 1 

Assume: 7.ar.(G)(I'SlGMn C PgIG14 

Show: 7.ar.(G)(2?SlGl(5^+i) C PcIGl^fc+i 

where 5k+i = 2?p[PMfc and <5^+i = D^^Pp^ 
Induction on structure of G: 

2.1 Two base cases: (1) G = post{(j)), (2) G = p{x) 
(1) G = post{(t>) 

= Ivarswitrue) 
= l{true} 

= VGlpost{cl))jSk+i 

hence: 7™r«(^)(2?Sbos<(0)]5^^) C VGlpost{<l>)j5T 
{2)G = p{x) 

Assume (without loss of generahty): p{y) Gi; G2, !, G3; G4 G P 

^«C(J)('^g''IGi1, 5^^IG2, Gal))))) 

= lvarsiS)iplMi'^GlGild'^ A (^glGsl ^ VUGajd'^) A I?S[G4l(5^ 

Am«<_(-)(^^^IGil,^^^IG4l) 

A ™^C(5)(5g''IGi1, ^<?^IG2, G3I)))) 
C Pj,xVj;(7.a..(i;)(2?S[Gil<5^ A {S^^IG,} ^ I^glGaM,") A V^dG^jS^ 

^mUX^ars(y)iSG''lGllSg^lG4) 

A ™*<_(5)(^g''[[Gi1, 5^^[G2, G3I))) 

C P,-, 5V,j(7.„.(5) IGiP^)n(7.a..(,-) (5g IG2I) ^ J^arsiy) (^^S [G'3M^))n7.ar«(ff) (I'S[G4M^) 

n 7™.s(i;)(™.xC(j)(5^^IGil, ^^^IG4l))) 
n 7™rs(i;)(™iC(,-)(5^^IGil, ^<?^[G2, G3I))) 

C P5.£V|;(2?gIGi14 n (5g[G21 ^ 2?GlG3l<5fe) n VclGilSk 

nmux{SGlG4,SGlG4j) 

nmux(^G[Gil,5G[G2,G3l)) 
= VGlp{x)}Sk+i 

2.2 Induction step: G = Gi, G2 

Assume: 7™r.(Gv2)pGlGi/2l) ^ 2?g[Gi/21 
again, notice that: {1) A C B =^ 7b(/) C 7^(/) 
and: vars{Gi, G2) = vars{Gi) U vars{G2) 
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and hence: (2^) vars{Gi) C vars{Gi, G2) 
and similarly: (2^) vars{G2) C vars{Gi, G2) 

= 7„a,.((7,.G.)((^gIG2l ^ VUGilS^+,) A (^SlGil ^ 2?SlG2l<5fe\i)) 
(by monotonicity i.e. 7«ars(Gi,G2)(/i /\/2) ^ 7t;ar«(Gi,G2 )(/»)) 

C 7.ar.(G„G.)(^SlG2l) ^ 7.a™(G„ G.) (^^S [Glp^+i) H 7.ar«(G„ G.) (^S[Gil) ^ 
7.a..(G,,G.)(2?SlG2M,\i) 

(by Proposition 1 and Proposition 3 and the induction assumption) 

C 7«a..(G.)(5S[G2l) ^ 7.a..(Gi)(I'S[GlM^+i)n7.ar«(G0(^GttGll) ^ 7.ar.(G2) (^^S [GaM^+J 

(by (1), (2i) and (2^) above) 
C 5gIG21 ^ PcIGiPfc+i n SgIG4 ^ pGlG2l(5fc+i 

= l?G[Gi,G2M/fe+l 

QED 



